Intellectual Property Blog

Looking Ahead: Kentucky Data Privacy Law to Take Effect January 2026

To ring in the 2026 new year, Kentucky will join the 19 other states that have enacted comprehensive state data privacy laws. The Kentucky Consumer Data Protection Act (“the Act”), going into effect January 1, 2026, applies to any person conducting business in Kentucky or anyone producing goods/services that are targeted to Kentucky residents and meet specific thresholds. A whole new group of consumer rights takes effect with the new law and noncompliance can produce new liability for businesses that run afoul of these provisions, so now is the time for all business owners to familiarize themselves with the new law.

New Rights, New Compliance

The Act provides general guidelines that each person or business must follow concerning collection, storage, and use of consumers’ data, and, perhaps more importantly, provides extensive guidelines on the privacy notice requirements for each person or business. With regard to those targeting Kentucky residents for goods and services, the Act applies only if such persons either: (1) control or process data of at least 100,000 consumers a year; or (2) process data of 25,000 consumers and service over 50% of their gross revenue from the sale of personal data, defined in the Act as information that is “linked or reasonably linked to a person.”

Businesses collecting Kentucky resident data should be aware of section 4(3) of the Act in particular, which mandates that anyone who is subject to the Act’s provisions must have a “reasonably accessible, clear, and meaningful” privacy notice that includes: (1) the categories of personal data being processed by the business; (2) the purpose for the business processing personal data; (3) procedural steps for how consumers may exercise their rights; (4) the categories of personal data the business shares with third parties; and (5) the categories of third parties with whom the business shares the consumers’ personal data.  

While the Act does not include a private right of action for a person’s or business’s lack of privacy notice and/or violation of their collection, storage, or use of consumers’ data, the Act explicitly provides consumers with several new rights:

• Right of access
• Right to correct inaccurate personal data
• Right of deletion
• Right of data portability
• Right to opt out of targeted advertising
• Right to opt out of the sale of personal data
• Right to opt out of profiling in furtherance of automated decisions that produce legal or similarly significant effects
• Right to appeal denial of a data subject request

Once a consumer exercises one of his or her rights under the Act, Kentucky data controllers must respond to consumer rights requests within 45 days and establish a process through which consumers can appeal denials of their requests.

Enforcement and Exceptions

Though the most common enforcement actions will concern a company’s direct non-compliance with the Act, section 8(4) provides certain exceptions to a company’s legal liability. Specifically, a company that discloses personal data to a third-party controller or processor is not in violation of the Act if the third party violates the Act, so long as the disclosing company did not have actual knowledge that the third party intended to commit a violation. Vice versa, a third-party controller/processor is not in violation of the Act for any violations committed on the part of the company that disclosed the data. Notably, compliance with the Act must be initiated by the Kentucky Attorney General. Given that the Act is the first of its’ kind in Kentucky, any notion as to the frequency or severity of the Attorney General’s enforcement actions remains uncertain.

What to Do Now

Now is the time for Kentucky businesses to determine their data privacy disclosure requirements, such as developing website privacy notices and determining how to handle consumer rights requests or appeals, to ensure compliance with the Kentucky Consumer Data Protection Act.

McBrayer’s Data Privacy, Security, and Technology attorneys can bring you or your business up to speed on Kentucky’s new data privacy law so that you are prepared and compliant before the new year.  

Ameena Khan Per is an Associate of McBrayer PLLC, practicing in the firm's Louisville office. Her law practice primarily focuses on data privacy and security, intellectual property, and trademarks. Mrs. Per can be reached at aper@mcbrayerfirm.com or (502) 327-5400, ext. 1141.

Grace Garner is a law clerk with McBrayer's Louisville office.

Services may be performed by others. This article does not constitute legal advice.